Booking.com Banner Creator < 1.4.3 – Admin+ Stored Cross-Site Scripting | CVE 2021-24646 | Plugin Vulnerabilities

Description

The plugin does not properly sanitize inputs when creating banners, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

Proof of Concept

* Open the plugin's add new banner page (B.com Banner -> Add New Banner)
* The form field named "Banner Copy" is vulnerable to XSS payloads like:
 <--`<img/src=` onerror=alert(document.cookie)``> --!>
* Update or Publish the page, and you will be provided a shortcode similar to [bdotcom_bm bannerid="123"]
* You will then need to create a page that includes the Banner's shortcode above.
* Visiting the page with the banner's shortcode will trigger the XSS payload to execute,

Affects Plugins

bookingcom-banner-creator

Fixed in 1.4.3

References

CVE

URL

https://www.hackpertise.com/cve/22-cve-2021-24646/

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Asif Nawaz Minhas

Submitter

Asif Nawaz Minhas

Verified

Yes

WPVDB ID

36aae14e-4bdf-4da6-a0f9-d71935105d45

Timeline

Publicly Published

2021-10-05 (about 2 years ago)

Added

2021-10-05 (about 2 years ago)

Last Updated

2023-04-12 (about 1 years ago)

Other

Published

Title

Published

2019-06-29

Title

Essential Real Estate <= 1.7.1 - XSS

Published

2014-08-01

Title

WordPress 3.5 - Shortcodes / Post Content Multiple Unspecified XSS

Published

2023-10-16

Title

Custom post types < 5.0.3 - Admin+ Stored XSS

Published

2017-09-08

Title

MailChimp for WordPress <= 4.1.6 - Authenticated Cross-Site Scripting (XSS)

Published

2017-01-17

Title

WangGuard <= 1.7.2 - Authenticated Reflected Cross-Site Scripting (XSS)